This section explains how to perform additional security configurations.
Topics:
· Configure to Restrict Access to the Default Web Server Pages
· Configure to Restrict Display of the Web Server Details
· Configure to Restrict File Uploads
· Configure to Restrict HTTP Methods Other Than GET and POST
· Configure to Enable Unlimited Cryptographic Policy for Java
· Configure Apache HTTP Server to Stop DDoS, Slowloris, and DNS Injection Attacks
To set the configurations to restrict access to default web server pages in the Apache Tomcat server, follow these steps:
1. Start the Apache Tomcat server by executing the command startup.sh.
2. Log in to the Tomcat Web Application Manager.
3. Undeploy the Examples application from Tomcat:
Go to the Tomcat Web Application Manager window and select Remove corresponding to the Tomcat Examples application.
4. Shut down the Apache Tomcat Server by executing the shutdown.sh file.
5. Comment the following sections from the %CATALINA_HOME%/conf/server.xml file (if available).
Section I
<Context path="/examples" docBase="examples" debug="0"
reloadable="true" crossContext="true">
<Logger className="org.apache.catalina.logger.FileLogger"
prefix="localhost_examples_log." suffix=".txt"
timestamp="true"/>
<Ejb name="ejb/EmplRecord" type="Entity"
home="com.wombat.empl.EmployeeRecordHome"
remote="com.wombat.empl.EmployeeRecord"/>
Section II
<Environment name="maxExemptions" type="java.lang.Integer"
value="15"/>
<Parameter name="context.param.name" value="context.param.value"
override="false"/>
<Resource name="jdbc/EmployeeAppDb" auth="SERVLET"
type="javax.sql.DataSource"/>
<ResourceParams name="jdbc/EmployeeAppDb">
<parameter><name>user</name><value>sa</value></parameter>
<parameter><name>password</name><value></value></parameter>
<parameter><name>driverClassName</name>
<value>org.hsql.jdbcDriver</value></parameter>
<parameter><name>driverName</name>
<value>jdbc:HypersonicSQL:database</value></parameter>
</ResourceParams>
<Resource name="mail/Session" auth="Container"
type="javax.mail.Session"/>
<ResourceParams name="mail/Session">
<parameter>
<name>mail.smtp.host</name>
<value>localhost</value>
</parameter>
</ResourceParams>
<ResourceLink name="linkToGlobalResource"
global="simpleValue"
type="java.lang.Integer"/>
</Context>
6. Delete the %CATALINA_HOME%\webapps\ROOT\index.jsp file.
7. Create a blank %CATALINA_HOME%\webapps\ROOT\index.html file.
8. Comment the following tags in the %CATALINA_HOME%\conf\web.xml file:
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
9. Change the default passwords of Tomcat users in the %CATALINA_HOME%\conf\tomcat-users.xml file.
Following are some examples:
<user username="both" password="b$12" roles="tomcat,role1"/>
<user username="tomcat" password="t$12" roles="tomcat"/>
<user username="admin" password="a$12" roles="admin,manager"/>
<user username="role1" password="r$12" roles="role1"/>
To set the configurations to restrict the display of the web server details from http responses, follow these steps:
· Modify the /httpd.conf file and set:
§ “ServerTokens” parameter to “Prod”
§ “ServerSignature” parameter to “off”
The Restrict File Uploads configuration restricts the upload of files, for certain file types. This configuration is applicable for all OFS AAI UIs and applications that are rendered out of the platform's OJET component.
The following is an example of the Restrict File Uploads configuration:
DOCUMENT_ALLOWED_EXTENSION: txt, pdf, doc, html, htm, xls, zip, jar, xml, jpg, bmp, and jpeg.
The parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the “configuration” schema holds the list of file extensions for valid file types that are allowed to be attached and uploaded into the OFSAA applications. Attached files that do not have an extension as listed in this parameter value are blocked. This list is extendable.
To set the configuration required to restrict HTTP methods other than GET and POST, follow these steps:
1. Modify the httpd.conf file of HTTP Server (Apache HTTP Server/Oracle HTTP Server/IBM HTTP Server)
RewriteEngine On
RewriteCond %{REQUEST_METHOD} !^(GET|POST)
RewriteRule .* - [R=405,L]
2. If the application is not configured with HTTP Server for WebLogic and WebSphere application servers, follow these steps:
a. Add the following snippet to the $FIC_HOME/ficweb/webroot/WEB-INF/web.xml file.
<security-constraint>
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>PATCH</http-method>
<http-method>HEAD</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>CONNECT</http-method>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
b. Navigate to the $FIC_WEB_HOME directory in the OFSAA installed server.
c. Execute the ./ant.sh command to regenerate the <CONTEXTNAME>.ear/.war file.
d. Redeploy the EAR/WAR file onto your configured web application server.
For more information on deploying the EAR / WAR file, refer to the Post Installation Configuration section in OFS Analytical Applications Infrastructure Installation and Configuration Guide.
Enable unlimited cryptographic policy for Java to use AES-256 keys for encryption. For more information, see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical Applications Infrastructure Administration Guide.
To prevent Distributed Denial of Service (DDoS), Slowloris, and DNS Injection attacks on Apache HTTP Servers, you must implement specific techniques such as Request Timeout and Quality of Service Extension.
For details, see the following sections.
· Configure Quality of Service Extension to Mitigate Slow HTTP DoS Attacks
You can configure the Request Timeout (set timeouts to receive HTTP Request Header and HTTP Request Body from a Client) values in the mod_reqtimeout module that is included by default in the Apache HTTP Server v2.2.15 and later versions. If the Client does not send the Header or Body data within the configured time, the Server displays a 408 Request Timeout error message.
The following example shows the configuration to set to allow the Client a maximum time of 30 seconds to start sending the Header data and the maximum time limit set is 45 seconds. The example also shows that the Client must transfer the Header data at the rate of 600 bytes per second. Similarly, the Client must start the transfer the Body data within 40 seconds, transfer within 60 seconds, and at a rate of 700 bytes per second.
<IfModule mod_reqtimeout.c>
RequestReadTimeout header=30-45,MinRate=600 body=40-60,MinRate=700
</IfModule>
You can configure the Quality of Service Extension in the mod_qos module of the Apache HTTP Server to set the priorities for specific HTTP Requests.
The following example shows the configuration to set to mitigate slow HTTP DoS attacks. The configuration settings allows the Server to handle up to 110000 connections and limits each IP address to a maximum of 60 connections. It limits the requests to a maximum of 300 connections and disables the HTTP KeepAlive parameter when 240 connections are in use. It also shows that the configuration requires a minimum of 100 bytes per second per connection and limits the connection to 1500 bytes per second when MaxClients reaches its set limit.
<IfModule mod_qos.c>
# handle connections from up to 110000 different IPs
QS_ClientEntries 110000
# allow only 60 connections per IP
QS_SrvMaxConnPerIP 60
# limit the maximum number of active TCP connections to 300
MaxClients 300
# disables keep-alive when 240 (80%) TCP connections are occupied
QS_SrvMaxConnClose 240
# minimum request/response speed
# (deny clients that keep connections open without requesting anything)
QS_SrvMinDataRate 100 1500
</IfModule>